MCPcopy Index your code
hub / github.com/coder/coder / TestMCPServerConfigsSecretsNeverLeaked

Function TestMCPServerConfigsSecretsNeverLeaked

coderd/mcp_test.go:196–292  ·  view source on GitHub ↗

TestMCPServerConfigsSecretsNeverLeaked is a load-bearing test that ensures secret fields (OAuth2 client secret, API key value, custom headers) are never present in API responses for any caller. If this test fails, it means a code change accidentally started exposing secrets. See: https://github.com/

(t *testing.T)

Source from the content-addressed store, hash-verified

194// test fails, it means a code change accidentally started exposing
195// secrets. See: https://github.com/coder/coder/pull/23227#discussion_r2959461109
196func TestMCPServerConfigsSecretsNeverLeaked(t *testing.T) {
197 t.Parallel()
198
199 ctx := testutil.Context(t, testutil.WaitLong)
200 adminClient := newMCPClient(t)
201 firstUser := coderdtest.CreateFirstUser(t, adminClient)
202 memberClient, _ := coderdtest.CreateAnotherUser(t, adminClient, firstUser.OrganizationID)
203
204 // Create a config with ALL secret fields populated.
205 created, err := adminClient.CreateMCPServerConfig(ctx, codersdk.CreateMCPServerConfigRequest{
206 DisplayName: "Secrets Test",
207 Slug: "secrets-test",
208 Transport: "streamable_http",
209 URL: "https://mcp.example.com/secrets",
210 AuthType: "oauth2",
211 OAuth2ClientID: "client-id-secret-test",
212 OAuth2ClientSecret: "THIS-IS-A-SECRET-VALUE",
213 OAuth2AuthURL: "https://auth.example.com/authorize",
214 OAuth2TokenURL: "https://auth.example.com/token",
215 OAuth2Scopes: "read write",
216 APIKeyHeader: "X-Api-Key",
217 APIKeyValue: "THIS-IS-A-SECRET-API-KEY",
218 CustomHeaders: map[string]string{"X-Custom": "THIS-IS-A-SECRET-HEADER"},
219 Availability: "default_on",
220 Enabled: true,
221 ToolAllowList: []string{},
222 ToolDenyList: []string{},
223 })
224 require.NoError(t, err)
225
226 // The sentinel values we must never see in any JSON response.
227 secrets := []string{
228 "THIS-IS-A-SECRET-VALUE",
229 "THIS-IS-A-SECRET-API-KEY",
230 "THIS-IS-A-SECRET-HEADER",
231 }
232
233 assertNoSecrets := func(t *testing.T, label string, v interface{}) {
234 t.Helper()
235 data, err := json.Marshal(v)
236 require.NoError(t, err)
237 jsonStr := string(data)
238 for _, secret := range secrets {
239 assert.False(t, strings.Contains(jsonStr, secret),
240 "%s: JSON response contains secret %q", label, secret)
241 }
242 }
243
244 // Verify the create response doesn't leak secrets.
245 assertNoSecrets(t, "admin create response", created)
246
247 // Verify boolean indicators are set correctly.
248 require.True(t, created.HasOAuth2Secret, "HasOAuth2Secret should be true")
249 require.True(t, created.HasAPIKey, "HasAPIKey should be true")
250 require.True(t, created.HasCustomHeaders, "HasCustomHeaders should be true")
251
252 // Admin list endpoint.
253 adminConfigs, err := adminClient.MCPServerConfigs(ctx)

Callers

nothing calls this directly

Calls 12

ContextFunction · 0.92
CreateFirstUserFunction · 0.92
CreateAnotherUserFunction · 0.92
newMCPClientFunction · 0.85
CreateMCPServerConfigMethod · 0.80
MCPServerConfigsMethod · 0.80
NotEmptyMethod · 0.80
MCPServerConfigByIDMethod · 0.80
HelperMethod · 0.65
MarshalMethod · 0.45
ContainsMethod · 0.45
EmptyMethod · 0.45

Tested by

no test coverage detected